
<!DOCTYPE html
  PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="DC.Type" content="topic">
<meta name="DC.Title" content="Two-Factor Authentication">
<meta name="product" content="">
<meta name="prodname" content="">
<meta name="version" content="">
<meta name="brand" content="Online_help_nwh">
<meta name="DC.Publisher" content="20231121">
<meta name="DC.Format" content="XHTML">
<meta name="DC.Identifier" content="EN-US_TOPIC_0000001251116969">
<meta name="DC.Language" content="en-us">
<link rel="stylesheet" type="text/css" href="public_sys-resources/commonltr.css">
<title>Two-Factor Authentication</title>
</head>
<body style="clear:both; padding-left:10px; padding-top:5px; padding-right:5px; padding-bottom:5px"><a name="EN-US_TOPIC_0000001251116969"></a><a name="EN-US_TOPIC_0000001251116969"></a>

<h1 class="topictitle1">Two-Factor Authentication</h1>
<div><div class="section" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_section04711154564"><h4 class="sectiontitle">Function Description</h4><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_p747224211152">Two-factor authentication allows user access only after both the client certificate and password are correct. It provides more security than the conventional authentication of only the account password.</p>
<p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p1650218543618">You can upload the root and client certificates issued by the CA to the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph54874673116">BMC</span> to implement secure connection between the client and the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph1440631153310">BMC</span> WebUI.</p>
</div>
<div class="section" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_section1673154882"><h4 class="sectiontitle">Parameter Description</h4>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_table874165414814" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Two-Factor Authentication</caption><thead align="left"><tr id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_row919175412813"><th align="left" class="cellrowborder" valign="top" width="25.230000000000004%" id="mcps1.3.2.2.2.3.1.1"><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p32226299571">Parameter</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="74.77000000000001%" id="mcps1.3.2.2.2.3.1.2"><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p192228299574">Description</p>
</th>
</tr>
</thead>
<tbody><tr id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_row019125416818"><td class="cellrowborder" valign="top" width="25.230000000000004%" headers="mcps1.3.2.2.2.3.1.1 "><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p875811234246">Two-Factor Authentication</p>
</td>
<td class="cellrowborder" valign="top" width="74.77000000000001%" headers="mcps1.3.2.2.2.3.1.2 "><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_p418012307488">Two-factor authentication allows users to log in to the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph6282152410332">BMC</span> WebUI only after the certificate and password are correct.</p>
<p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p140793912559">It is disabled by default.</p>
<div class="note" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_note7831654788"><span class="notetitle"> NOTE: </span><div class="notebody"><ul id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_ul1393871720563"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li622855618462">Before two-factor authentication is enabled, you must import a valid root certificate and a client certificate. Ensure that at least one set of valid certificates exist. Otherwise, authentication failures may occur in subsequent logins.</li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li12938171725615">After two-factor authentication is enabled, the SSH service will be automatically disabled and cannot be enabled manually.</li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li412616510118"><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p1912615511719"><a name="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li412616510118"></a><a name="en-us_topic_0000001206309106_en-us_topic_0152872101_li412616510118"></a>After the two-factor authentication is enabled and then disabled, the SSH service is not automatically enabled. If you need to use the SSH service, manually enable it.</p>
</li></ul>
</div></div>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_row1189593619556"><td class="cellrowborder" valign="top" width="25.230000000000004%" headers="mcps1.3.2.2.2.3.1.1 "><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p789511365551">OCSP Check</p>
</td>
<td class="cellrowborder" valign="top" width="74.77000000000001%" headers="mcps1.3.2.2.2.3.1.2 "><div class="notice" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_note17999247013"><span class="noticetitle"> NOTICE: </span><div class="noticebody"><ul id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_ul1724665443715"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li9246205413710">The check uses OCSP. Before enabling the OCSP check, ensure that communication between the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph1473903513330">BMC</span> and the OCSP server is normal. Otherwise, the web service may become unavailable.</li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li72461543379">Ensure that the OCSP address information has been written into the root certificate. Otherwise, the dual-factor authentication may fail after the OCSP check is enabled.</li></ul>
</div></div>
<p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p12313855616">Online Certificate Status Protocol (OCSP) check verifies the validity of the client certificate during authentication. If the client certificate is invalid, the user cannot log in to the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph16988538153316">BMC</span> WebUI.</p>
<p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_p274725111487">It is disabled by default.</p>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_row7901813115516"><td class="cellrowborder" valign="top" width="25.230000000000004%" headers="mcps1.3.2.2.2.3.1.1 "><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p179151335512">CRL Check</p>
</td>
<td class="cellrowborder" valign="top" width="74.77000000000001%" headers="mcps1.3.2.2.2.3.1.2 "><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p10221471551">The certificate revocation list (CRL) check verifies whether the certificate has been revoked during the authentication. After this function is enabled, the system checks whether the current client certificate has been revoked during the login to the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph1013812012347">BMC</span> WebUI. If the certificate has been revoked, the authentication fails and you cannot log in to the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph11444353420">BMC</span> WebUI.</p>
<p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_p46060815498">It is disabled by default.</p>
<div class="note" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_note1840743811104"><span class="notetitle"> NOTE: </span><div class="notebody"><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p6407038181015">Ensure that the CRL has been imported. Otherwise, the dual-factor authentication may fail after the CRL check is enabled.</p>
</div></div>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_row319211540818"><td class="cellrowborder" valign="top" width="25.230000000000004%" headers="mcps1.3.2.2.2.3.1.1 "><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p147581237241">Root Certificate</p>
</td>
<td class="cellrowborder" valign="top" width="74.77000000000001%" headers="mcps1.3.2.2.2.3.1.2 "><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152871978_p13554327183817">Click <strong id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_b4811639174016">Redirect</strong>, to Certificate Management &gt; CA Certificates for subsequent operations.</p>
<div class="note" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_note104301937174217"><span class="notetitle"> NOTE: </span><div class="notebody"><ul id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ul2430173710420"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_li18430737184213">If there are any changes made and not saved, a pop-up window will appear to confirm saving the current page. After confirmation and successful saving, the page will be redirected to the <strong id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_b1318542914216">CA Certificates</strong> page.</li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_li24306373426">The server certificate verification function is based on certificates that are trusted by <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph13430113774217">BMC</span> and managed as CA certificates. Each service can use any trusted CA certificate for server verification.</li></ul>
</div></div>
</td>
</tr>
<tr id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_row11192254389"><td class="cellrowborder" valign="top" width="25.230000000000004%" headers="mcps1.3.2.2.2.3.1.1 "><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p3774323122410">Client Certificate</p>
</td>
<td class="cellrowborder" valign="top" width="74.77000000000001%" headers="mcps1.3.2.2.2.3.1.2 "><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p3455112211112">List of the client certificates existing on the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph4503324183417">BMC</span> and information about the user, role, root certificate status, revocation status and time, and client certificate fingerprint (hash value of the client).</p>
<p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p12774142318244">The <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph172074223343">BMC</span> supports client certificates of a maximum of 16 users.</p>
<div class="note" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_note395453111413"><span class="notetitle"> NOTE: </span><div class="notebody"><ul id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ul15437113518554"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_li74371035125515">Base64-coded client certificates (public key certificates) can be uploaded. Valid client certificate formats include *.cer, *.crt, and *.pem. The size cannot exceed 1 MB.</li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_li14437335115511">Certificate revocation status.<ul id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_ul11220113716238"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li18220203742312"><strong id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_b1392961817346">Revoked</strong></li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li182206372230"><strong id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_b1893314189345">Unrevoked</strong></li></ul>
</li></ul>
</div></div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_section1129192133217"><h4 class="sectiontitle">Enabling Two-Factor Authentication and Uploading Certificates to the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph1868532163413">BMC</span></h4><ul id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_ul16800366510"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li4807366512">Before the operation, apply for the root and client certificates (including the public key certificate and private key certificate) from a formal CA.<div class="note" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_note1148424216517"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_ul1270622110559"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li1370610212551">Private key certificates are in .pem, .p12, or .pdx format. For details about the operations, see the operation description of the CA.</li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li1370618215555">For security purposes, periodically update the certificate.</li></ul>
</div></div>
</li></ul>
<ul id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_ul17179169195814"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li1346019610614">Base64-coded root certificate and client certificate (public key certificate) can be uploaded. Valid root and client certificate formats include *.cer, *.crt, and *.pem. The size cannot exceed 1 MB.</li></ul>
<ol id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_ol15305519176"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_li2383142110396"><span>Uploading a Certificate.</span><p><ul id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ul175881029153919"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_li958813299396">On the <strong id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_b20179151401">Client Certificate</strong> page, click <span class="uicontrol" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_uicontrol1251393524312"><b>Upload</b></span> to upload the client public key certificate for the specified user.</li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_li6767931193913">Click <strong id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_b52691818460">Redirect</strong>, to upload the root certificate on the <strong id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_b5297151614915">Certificate Management</strong> page.</li></ul>
</p></li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li6821537124519"><span>Set <span class="uicontrol" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_uicontrol178203764512"><b>Two-Factor Authentication</b></span> to<span><img id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_image67567536179" src="figure/en-us_image_0000001318424853.png"></span>.</span></li></ol>
</div>
<div class="section" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_section5130142173210"><h4 class="sectiontitle">Enabling Certificate Authentication</h4><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p159381634309">After uploading certificates, perform the following operations to enable certificate authentication for users who attempt to log in to the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph8400340163412">BMC</span> WebUI.</p>
<ol id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_ol1829451203"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li4829115113011"><span>On the client, open your browser, for example, Google Chrome <strong id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_b62914588618">81.0.4044.138</strong>.</span><p><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p392920281178">The operations may vary depending on the type and version of the browser.</p>
</p></li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li4829125112014"><span>Click <span><img id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_image1031625512227" src="figure/en-us_image_0000001274688798.png"></span> at the upper right corner and select Settings, select <strong id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_b201561251883">Privacy and security</strong>.</span></li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li48292511608"><span>Click <strong id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_b1993825214819">Manage certificates</strong>.</span></li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li11829185111017"><span>Import the client private key certificate.</span><p><div class="note" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_note89656380912"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p426034514917">If you are required to enter a password, enter the password that is set when you apply for the certificate.</p>
</div></div>
</p></li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li1582912511201"><span>Enter the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph119773439343">BMC</span> login address in the address box of the browser.</span></li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li4829351504"><span>Select the client certificate as instructed.</span><p><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p512620471011">Login to the <span id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_ph147754610347">BMC</span> WebUI is successful.</p>
</p></li></ol>
</div>
<div class="section" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_section6131226326"><h4 class="sectiontitle">Deleting a Client Certificate</h4><ol id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_ol10217522117"><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li62175210113"><span>On the <span class="uicontrol" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_uicontrol12261954547"><b>Client Certificate</b></span> page, click <span class="uicontrol" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_uicontrol91471520172818"><b>Delete</b></span> next to the user whose client certificate is to be deleted.</span><p><p id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_p1317491419">A confirmation dialog box is displayed.</p>
</p></li><li id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_li3255211110"><span>Click <span class="uicontrol" id="EN-US_TOPIC_0000001251116969__en-us_topic_0000001206309106_en-us_topic_0152872101_uicontrol164951359946"><b>Yes</b></span>.</span></li></ol>
</div>
</div>
<div></div>

</body>
</html>